Grafana LDAP integration for Apache Directory Server

Hi,
I have a problem integrating grafana with Apacheds (Apache Directory Server). I have tried all examples, issue fixes, everything, problem is, there is not much help with Apacheds. Most issues are with either OpenLDAP or Active Directory. I need some help, if someone knows what’s the problem.

My Apacheds has : 2-3 groups named graylog… (graylogAdmins, graylogUsers, etc) so i used graylog* for group filter. The groups which are groupOfNames objects, contain “member” attributes, that’s how apacheds knows who’s member and who’s not member. Attribute member : uid=user@company.com,cn=section1,cn=people,dc=company,dc=com

Configuration :

#Search user bind dn

bind_dn = “$Search_User with view permissions”

#Search user bind password

bind_password = ‘$Password’

#User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)”

search_filter = “(uid=%s)”

#An array of base dns to search through

search_base_dns = [“ou=section1,ou=people,dc=company,dc=com”]

#GROUP SEARCH ( I think here is the issue…)

group_search_filter = “(&(objectClass=groupOfNames)(cn=graylog*))”

group_search_base_dns = [“ou=group,dc=company,dc=com”]

#Specify names of the ldap attributes your ldap uses

[servers.attributes]
member_of = "distinguishedName"
name = "givenName"
surname = "sn"
username = "uid"
email = “mail”

#Map ldap groups to grafana org roles

[[servers.group_mappings]]
group_dn = "cn=graylogAdmins,ou=group,dc=company,dc=com"
org_role = “Admin”

#The Grafana organization database id, optional, if left out the default org (id 1) will be used

#org_id = 1

[[servers.group_mappings]]
group_dn = "cn=graylogUsers,ou=group,dc=company,dc=com"
org_role = “Editor”

#[[servers.group_mappings]]

#If you want to match all (or no ldap groups) then you can use wildcard

#group_dn = “*”
#org_role = “Viewer”

Logs:

msg=“Searching for user’s groups” logger=ldap filter="(&(objectClass=groupOfNames)(cn=graylog*))"

msg=“Ldap Auth: user does not belong in any of the specified ldap groups” logger=ldap username=user@company.com groups="[ ]"

msg=“Invalid username or password” logger=context userId=0 orgId=0 uname= error=“Invalid Username or Password”

group search filter should include the username (%s is replaced by username)

from example:

group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"

I have tried everything.
First of all, the attribute of Apacheds in groups is “member” and not “memberUid” , which consists of the whole DN (uid=…,ou=…) so i have put member=* %s* , member=%s, member=‘uid=%s*’, member=‘uid=…,ou=…,cn=…’ .
Also tried it with the objectClass=groupOfNames, because that’s what the object in Apacheds is called.

I don’t know what i’m doing wrong, or if Apacheds is not integrable at the moment, because of object and attribute difference? Thanks.

what, what? member should be a property if your ldap has the memberOf feature. if not use group_search_filter with the member=%s

If i use member=%s filter, output:

msg=“Searching for user’s groups” logger=ldap filter="(&(objectClass=groupOfNames)(member=user@company.com))"

In my directory server, the groupOfNames object has member attribute, but it consists of the whole search DN : uid=user@company.com,ou=groups,dc=company,dc=com, for example. So i need a wildcard or something to accept the uid= before the username, and the rest of DN after the username, * %s* doesn’t work.

you have 3 options.

group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
group_search_filter_user_attribute = "distinguishedName"
group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]

think %s is going to be replaced by whatever you set group_search_filter_user_attribute to

Thanks for reply, yes, i have tried with those settings. Unfortunately i get a message from the apacheds server, which is shown also in the grafana logs :
N O T I M P L E M E N T E D Y E T !

It comes from the apacheds server, and i tried with versions 2.0.0-M21, and also with the newest version, which is 2.0.0-M24 . So i can’t use this option with member:1.2.840.113556.1.4.1941

Update: This is for Active Directory, and not ldap.

I managed to finally resolve this… with the following configurations :

search_filter = "(uid=%s)"
group_search_filter = "(&(objectClass=groupOfNames)(member=uid=%s,ou=section1,ou=people,dc=company,dc=com))"
group_search_filter_user_attribute = “uid”

member_of = “entryDN”
[[servers.group_mappings]]
group_dn = "cn=group1,ou=group,dc=linkscreens,dc=com"
org_role = “Admin”

An alternative to member_of = entryDN is : (group dn for mapping will change too)

member_of = “cn”
[[servers.group_mappings]]
group_dn = "group1"
org_role = “Admin”